Setting Up AWS PrivateLink for RDS-EKS Interaction

Overview:

This guide provides a walkthrough for configuring AWS PrivateLink to facilitate secure, private communication between an RDS (Amazon Relational Database Service) instance and an EKS (Amazon Elastic Kubernetes Service) cluster located in different regions. AWS PrivateLink allows for this interaction without the need for VPC peering, provided both services reside within the same AWS account.

The process involves creating two VPC (Virtual Private Cloud) endpoints: one in the RDS instance's region and another in the EKS cluster's region. These endpoints serve as intermediaries, enabling private connectivity between the RDS and EKS services.

While VPC peering isn't necessary for cross-region connectivity within the same AWS account, it becomes essential when the RDS and EKS are in different AWS accounts. Additionally, regardless of the account setup, a valid peering or VPN connection between the VPCs is crucial to ensure seamless traffic flow between the endpoints across different regions.

Configuration Steps

Using AWS Console

To establish a private link between different VPCs for accessing resources such as an EKS cluster and an RDS instance via the AWS Management Console, follow these steps:

Open the AWS Management Console and navigate to the VPC Dashboard. Select the VPC where the EKS cluster is operational.
Click on "Endpoints" in the left-hand menu, then click "Create Endpoint".
From the list of available services, select the service name for EKS and choose "Interface" for the endpoint type.
Select the VPC and the subnet where you wish to create the endpoint.
Choose the security group to associate with the endpoint. You can either create a new security group or select an existing one.
Review the configuration and click "Create Endpoint" to establish the VPC endpoint for EKS.
Repeat steps 2-6 for the VPC where the RDS instance is operational, selecting the RDS service name instead of EKS.
After creating both VPC endpoints, navigate to the route tables of each VPC and add a route for the CIDR block of the service to the VPC endpoint ID.
In the security group for the EKS cluster, permit inbound traffic from the security group associated with the VPC endpoint for the RDS instance.
In the security group for the RDS instance, permit inbound traffic from the security group associated with the VPC endpoint for the EKS cluster.
Test the connection by connecting to the EKS cluster from one of the pods running on the EKS cluster and RDS instance using their private IP addresses.

Note: Ensure the correct subnet and security group are selected for each endpoint when creating the VPC endpoints. Also, ensure the correct CIDR block and VPC endpoint ID are used when adding the routes to the route tables. In steps 9 and 10, select the correct security groups for the EKS cluster and RDS instance respectively.

Using AWS CLI

The aforementioned steps can also be executed using the AWS Command Line Interface (CLI). Here's how:

Create a VPC endpoint in the VPC where the EKS cluster is operational:

aws ec2 create-vpc-endpoint --vpc-id <vpc-id-of-EKS-cluster> --service-name com.amazonaws.<region>.eks --vpc-endpoint-type Interface --subnet-ids <subnet-id>

Create a VPC endpoint in the VPC where the RDS instance is operational:

aws ec2 create-vpc-endpoint --vpc-id <vpc-id-of-RDS-instance> --service-name com.amazonaws.<region>.rds --vpc-endpoint-type Interface --subnet-ids <subnet-id>

Modify the route tables in each VPC to direct traffic to the VPC endpoints:

aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block <service-ip> --vpc-endpoint-id <vpc-endpoint-id>

Create a security group for the EKS cluster:

aws ec2 create-security-group --group-name eks-sg --description "EKS security group" --vpc-id <vpc-id-of-EKS-cluster>

Authorize traffic from the VPC endpoint in the security group for the EKS cluster:

aws ec2 authorize-security-group-ingress --group-id <eks-security-group-id> --protocol tcp --port <port> --source-group <security-group-id-of-VPC-endpoint>

Modify the RDS instance to allow traffic from the security group of the VPC endpoint:

aws rds modify-db-instance --db-instance-identifier <db-instance-identifier> --vpc-security-group-ids <security-group-id-of-VPC-endpoint>

Verify the connection:

Ensure that you can access the EKS cluster and RDS instance using the private IP addresses of the VPC endpoints.

Note: In steps 1 and 2, you'll need to specify the subnet ID of the subnet where you wish to create the VPC endpoint. In step 3, repeat the create-route command for each VPC endpoint and route table. Lastly, in step 5, replace <port> with the port number that the EKS cluster uses to communicate with the RDS instance.

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.

PreviousIntegration and Setup NextTwingate and LightBeam Integration Guide

Last updated 1 year ago